In September of 2023, a ransomware attack on Johnson Controls International (JCI) was reported in SEC filing 001-13836 using Form 8-K. JCI is a global supplier of Building Automation systems and other services and technologies with a large footprint in the real estate industry. They have a controller for just about any type of system that can be found in a building.
Not much as been said about what was actually taken by the bad actors. Source code, credentials, new systems in the R&D stage, competitor information, or maybe just some Excel files. We will never know, and that’s what is most worrisome.
When a key manufacturer of one of your building systems is hit with a cyber-attack, how does this affect your buildings and/or your companies’ cyber security posture at the property level? Some things to think about:
What information is housed in your building systems (BMS, Access Control, Camera system, more) that a cyber-attacker may find valuable? Some that come quickly to mind are:
Tenant names, tenant personal names
IT closet, electric room, equipment room locations
Alone, one or two of these items may not seem concerning but attackers combine information from different sources to establish their most profitable angle of attack. Also, this and other data can be easily consolidated and placed ‘for sale’ to other bad actors, naming you as the source.
The US (California CCPA) and Europe (GDPR) have data privacy laws and your company may also have data privacy policies that have to be followed. Many other states in the US are following along the same lines. This could create backlash to you as the data owner, far down the line.
Are your building systems using a cloud-based operating model? If so, the vendor operating that system must have controls, policies, procedures, and cyber technology in place to lower the risk of cyber-attacks and data breaches. The ability to demonstrate these upon request should be part of an annual review.
Are your building systems locally managed and operated? Local vendors have the same responsibilities to your cyber protection but should also be able to demonstrate that their operators have agreed and been trained on your cyber policies. Along with managing secure daily operations, the OT networks where these systems live need to have the proper segmentation, access control, and monitoring in place to ensure bad actors cannot easily traverse to other resources, should they gain access to any one LAN.
Are you using any Point-of-Sale systems for vending and parking payments? These systems need special cyber security consideration because of the type of data they collect and process. Encryption is essential, but, so too is network segmentation and access control to PII and credit card information.
5Q Cyber specializes in building technology cyber security technology, monitoring and policies when you need help. As more IT based building systems (smart curtains, smart glass, virtual tours, smart restrooms, EV charging, more) are installed in buildings to improve tenant experience, make monitoring and control of basic building functions more efficient. Each of these systems has valuable information cyber-attackers want. Don’t wait for another kink in your supply chain armor. Act now.